Hello Benyamin: Can you specify what rules are you manually creating the OVN database? The code you are referring to is the sync tool. The goal of this tool is to sync both databases, OVN and Neutron. But please remember that Neutron is the CMS, is the only source of truth and it controls the network backend, in this case OVN. Any definition should be done in Neutron and any manual change in the OVN database will be restored or the environment will fail. Regards. On Tue, Jan 23, 2024 at 11:15 AM benyamin sam khanyani < bsamkhaniyani@gmail.com> wrote:
Thanks for your comprehensive reply.
I apply completely similar rules to what Neutron installs on OVN Northbound Database and I think it is compatible with LB, OVS, and OVN. I think the main issue is the sync mechanism between Neutron DB and OVN Northbound DB[1](Line 244). Clearly, It's not a bug but I think this function can be enhanced in order to support changes which can be defined directly in OVN Northbound DB. As there are a variety of functionalities in ovn-nbctl and ovn-sbctl command line tools, I believe that it could be beneficial.
[1] https://github.com/openstack/neutron/blob/dad8c3fecc4e97764a92f558d9df510fa2...
On Mon, 22 Jan 2024 at 18:31, Rodolfo Alonso Hernandez < ralonsoh@redhat.com> wrote:
Hello Benyamin:
I'm guessing from your mail that you are referring to Neutron security groups and you are using ML2/OVN. Any SG rule should be defined in Neutron, not in OVN directly. The Neutron SG rules are translated to ACLs and applied to a port group. If you are interested in how this is done, please check [1].
If you want to add any new functionality to the SG rules, you should create a LP bug [2] with a RFE. This RFE should be a high level description of what want to implement. Be aware that we have multiple mechanism drivers in-tree: LB, OVS and OVN. This feature should be compatible with all of them. The RFE can be discussed during the Neutron drivers meetings [3].
Regards.
[1] https://github.com/openstack/neutron/blob/master/neutron/plugins/ml2/drivers... [2]https://bugs.launchpad.net/neutron/ [3]https://meetings.opendev.org/#Neutron_drivers_Meeting
On Mon, Jan 22, 2024 at 3:41 PM benyamin sam khanyani < bsamkhaniyani@gmail.com> wrote:
Hi,
I am working on the security group and aim to extend its functionality by applying custom rules based on source and destination ports, arbitrary match criteria, actions, and so on. I did it by using ovn-nbctl commands and everything worked well. Unfortunately, the only issue is that I can not see my custom rules in MariaDB and I didn't find any other solution for defining security group rules with my desired options. So, I want to ask you how I can tackle this issue?
Regards, Benjamin Sam
participants (1)
-
Rodolfo Alonso Hernandez